I have a FreeBSD firewall/router using PF with OpenVPN configured as client mode so that all my traffic goes through the vpn connection via the vpn provider.
When the OpenVPN connection is active on my firewall I can't get port forwarding to work properly on the internet facing interface, this is resulting in me not being able to connect to my internal OpenVPN server. As it looks now I am forwarding port 1194 on my WAN to my private OpenVPN server I have on my LAN at 192.168.1.99. If I understand correclty the problem is that when I try to connect to my OpenVPN server the packtes are being forwarded on my WAN interface but all of the replies are being sent trough the vpn connection (tun0).
Is there anyone here that can help me with this problem?
My pf.conf files looks like this (I have removed a lot of standard stuff):
As you can see in my pf file I have done some tries with reply-to but with no success, maybe I am doing it wrong?
When the OpenVPN connection is active on my firewall I can't get port forwarding to work properly on the internet facing interface, this is resulting in me not being able to connect to my internal OpenVPN server. As it looks now I am forwarding port 1194 on my WAN to my private OpenVPN server I have on my LAN at 192.168.1.99. If I understand correclty the problem is that when I try to connect to my OpenVPN server the packtes are being forwarded on my WAN interface but all of the replies are being sent trough the vpn connection (tun0).
Is there anyone here that can help me with this problem?
My pf.conf files looks like this (I have removed a lot of standard stuff):
Code:
ext_if="em0" # WAN network
int_if="lagg0" # LAN network
vpn_if="tun0" # VPN network
# Internal OpenVPN server and the clients network
openvpn = "192.168.1.99"
vpnclients = "172.16.16.0/24"
table <lan_network> { $int_if:network, !$openvpn }
# NAT all LAN traffic trought VPN connection
nat on $vpn_if from <lan_network> to any -> ($vpn_if:0)
nat on $ext_if from $openvpn to any -> ($ext_if:0)
# NAT internel OpenVPN clients outside for internet access
nat on $vpn_if from $vpnclients to any -> ($vpn_if)
rdr pass on $ext_if proto udp from any to $ext_if port 1194 -> $openvpn port 1194
pass in quick on $int_if reply-to ($int_if 192.168.1.1) from any to 192.168.1.99 keep state
# Prevent VPN bypass
block out quick log on $ext_if from <lan_network> to any
# Pass out everything to VPN connection
pass out quick on $vpn_if inet modulate state
As you can see in my pf file I have done some tries with reply-to but with no success, maybe I am doing it wrong?